[OWASP-TESTING] Timeline for 2nd phase

Eoin Keary eoinkeary at hotmail.com
Fri Jun 24 08:42:13 EDT 2005


We cant go ahead and redeifine these functions.

Where did you get "think PT is more suitable for the Network level, VA is 
more suitable for the Application level." This is not the industry view.

If we want industry buy in we need to adopt industry nomenclature and not 
reinvent the wheel.
Anyways the doc is not a "hacking 101" doc its an attempt to standardize pen 
testing functionality and hence quality of what OWASP endorses?
Eoin




>From: Matteo Meucci <matteo.meucci at gmail.com>
>Reply-To: Matteo Meucci <matteo.meucci at gmail.com>
>To: Daniel Cuthbert <daniel.cuthbert at owasp.org>
>CC: owasp-testing at lists.sourceforge.net
>Subject: Re: [OWASP-TESTING] Timeline for 2nd phase
>Date: Fri, 24 Jun 2005 12:24:19 +0200
>
>I understand your opinion but I think that is important:
>- to distinguish the Network PT from WebApp PT (or VA):
>I think PT is more suitable for the Network level, VA is more suitable
>  for the Application level.
>- give a document that will be the standard "de facto": if the term
>WAVA is more diffused than WAPT, I think we have to choose the first
>one.
>
>Mat
>
>
>
>On 6/24/05, Daniel Cuthbert <daniel.cuthbert at owasp.org> wrote:
> > Here is how the two terms have always been seen in the industry:
> >
> > vulnerability assessment -> find the security hole BUT do not exploit
> > the hole to prove its exploitable
> > penetration test -> find the security hole and try and exploit/gain
> > access as much as possible
> >
> > Are we saying that this guide will only give the 1st steps for
> > finding the hole, but not how to gain further access into the
> > application
> >
> > an example would be:
> >
> > input form vulnerable to sql injection
> > --> add %27 to determine impact
> >   --> add ; exec master..xp_cmdShell 'net user OWASP /add' --
> >    --> then execute ; exec master..xp_cmdShell 'net localgroup
> > administrators OWASP /add' --
> >    --> and then add the user with admin priv's within the db itself
> >
> > See if we are only going to show how to do the 1st step, then how
> > would someone actually know if it was possible to exploit the app
> >
> > The problem today is that there are way too many consultants out
> > there who are "vulnerability assessors", but actually have no clue on
> > how to take the test to the next step
> >
> >
> > On 24 Jun 2005, at 10:15, Matteo Meucci wrote:
> >
> > > Ok Daniel,
> > > I've two questions:
> > > 1) The title: "OWASP Guide to Web Application Penetration Testing"
> > > Why not: "OWASP Guide to Web Application Vulnerability Assessment"
> > > I think "WAVA" is more suitable.
> > > 2) Time line: in Italy from 1st August to 15th everything is closed,
> > > and also all the people are in vacation...
> > >
> > > Just my thought.
> > > Mat
> > >
> > >
> > > On 6/23/05, Daniel Cuthbert <daniel.cuthbert at owasp.org> wrote:
> > >
> > >> Thanks to Javier, here is the timeline:
> > >>
> > >> --------------------------------------------------------
> > >> August 1st - first version of the volunteered sections
> > >> [ peer review of sections, detection of who is not active, decission
> > >> to offer up sections to others if people are overloaded, etc ]
> > >>
> > >> August 15th - final version of the sections
> > >> [ peer review of sections, editorial changes ]
> > >>
> > >> August 31st - first document draft (all sections put together)
> > >>
> > >> [ peer review of the document]
> > >>
> > >> September 30th - final release of section 2
> > >> ---------------------------------------------------------------
> > >>
> > >> You will notice the date of release has been extended, as i know it
> > >> will not be done in 2 weeks :0)
> > >>
> > >> Also.. the name of this guide will become the OWASP Guide to Web
> > >> Application Penetration Testing. For us to even try and call it a
> > >> testing guide, when in reality it has always been a penetration test
> > >> guide, is just mad. We don't, and won't, cover all aspects of web
> > >> application testing and this document should represent that.
> > >>
> > >> I will be sending out an updated structure doc with everyones
> > >> names soon
> > >>
> > >> Daniel
> > >>
> > >>
> > >>
> > >> -------------------------------------------------------
> > >> SF.Net email is sponsored by: Discover Easy Linux Migration
> > >> Strategies
> > >> from IBM. Find simple to follow Roadmaps, straightforward articles,
> > >> informative Webcasts and more! Get everything you need to get up to
> > >> speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
> > >> _______________________________________________
> > >> owasp-testing mailing list
> > >> owasp-testing at lists.sourceforge.net
> > >> https://lists.sourceforge.net/lists/listinfo/owasp-testing
> > >>
> > >>
> > >
> > >
> > > -------------------------------------------------------
> > > SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
> > > from IBM. Find simple to follow Roadmaps, straightforward articles,
> > > informative Webcasts and more! Get everything you need to get up to
> > > speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=click
> > > _______________________________________________
> > > owasp-testing mailing list
> > > owasp-testing at lists.sourceforge.net
> > > https://lists.sourceforge.net/lists/listinfo/owasp-testing
> > >
> > >
> >
> >
> >
> > -------------------------------------------------------
> > SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
> > from IBM. Find simple to follow Roadmaps, straightforward articles,
> > informative Webcasts and more! Get everything you need to get up to
> > speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&opclick
> > _______________________________________________
> > owasp-testing mailing list
> > owasp-testing at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/owasp-testing
> >
>
>
>-------------------------------------------------------
>SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
>from IBM. Find simple to follow Roadmaps, straightforward articles,
>informative Webcasts and more! Get everything you need to get up to
>speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=click
>_______________________________________________
>owasp-testing mailing list
>owasp-testing at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/owasp-testing

_________________________________________________________________
Upgrade to Messenger 7.0 - more fun features, still totally FREE! 
http://messenger.msn.co.uk





More information about the Owasp-testing mailing list